[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Add option to password-protect only editing of entries
From: |
Mikhail Novosyolov |
Subject: |
[PATCH] Add option to password-protect only editing of entries |
Date: |
Sun, 30 Aug 2020 23:18:41 +0300 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
It may be required to password-protect editing kernel cmdline
but keep the OS able to boot without a password.
Adding a variable GRUB_PASSWORD_PROTECT_ONLY_EDITING which can be
set in /etc/default/grub as "GRUB_PASSWORD_PROTECT_ONLY_EDITING=true"
to make Grub not ask password for just booting entries without editing them.
Credits go to
http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
---
util/grub-mkconfig.in | 3 ++-
util/grub.d/10_linux.in | 11 ++++++++---
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 32d854b02..0d21e3652 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -238,7 +238,8 @@ export GRUB_DEFAULT \
GRUB_ENABLE_CRYPTODISK \
GRUB_BADRAM \
GRUB_OS_PROBER_SKIP_LIST \
- GRUB_DISABLE_SUBMENU
+ GRUB_DISABLE_SUBMENU \
+ GRUB_PASSWORD_PROTECT_ONLY_EDITING
if test "x${grub_cfg}" != "x"; then
rm -f "${grub_cfg}.new"
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index b5b6ebc08..1e61c0eba 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -28,6 +28,11 @@ export TEXTDOMAINDIR="@localedir@"
CLASS="--class gnu-linux --class gnu --class os"
+if [ "x${GRUB_PASSWORD_PROTECT_ONLY_EDITING}" = "xtrue" ]
+ then unrestricted="--unrestricted "
+ else unrestricted=" "
+fi
+
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS="$(sed 's, release .*$,,g' /etc/system-release)"
else
@@ -102,9 +107,9 @@ linux_entry ()
title_correction_code="${title_correction_code}if [ \"x\$default\" =
'$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
grub_warn "$(gettext_printf "Please don't use old title \`%s' for
GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or
later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title"
"gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
fi
- echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS}
\$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed
"s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$title" | grub_quote)' ${unrestricted}${CLASS}
\$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed
"s/^/$submenu_indentation/"
else
- echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS}
\$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed
"s/^/$submenu_indentation/"
+ echo "menuentry '$(echo "$os" | grub_quote)' ${unrestricted}${CLASS}
\$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed
"s/^/$submenu_indentation/"
fi
if [ x$type != xrecovery ] ; then
save_default_entry | grub_add_tab
@@ -285,7 +290,7 @@ while [ "x$list" != "x" ] ; do
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
fi
# TRANSLATORS: %s is replaced with an OS name
- echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" |
grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
+ echo "submenu ${unrestricted}'$(gettext_printf "Advanced options for %s"
"${OS}" | grub_quote)' \$menuentry_id_option
'gnulinux-advanced-$boot_device_id' {"
is_top_level=false
fi
--
2.25.1
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH] Add option to password-protect only editing of entries,
Mikhail Novosyolov <=